Microsoft Rushes Out Patch to IIS Exploit

The FTP server opens a hole that could lead to administrator compromise.

Microsoft sent out a Security Advisory late Tuesday warning users of a critical
zero-day flaw in older versions of its Internet Information Services (IIS) Web server
software.

Although Microsoft said in the advisory that to date it knows of no active attacks in
the wild, the company said it has seen "detailed exploit code published on the
Internet."

"We're currently investigating the issue as part of our Software Security Incident
Response Process and working to develop a security update 'which' will be
released once it reaches an appropriate level of quality for broad distribution," Alan
Wallace, senior communications manager, said in a
posting on the Microsoft Security Response Center blog.

Tuesday's advisory warns users about a hole in the file transfer protocol (FTP)
functions of IIS 5.0, 5.1, and 6.0. Using the FTP service to retrieve files from a server
by typing at the command-line prompt is a popular method for more technical users to
handle files stored on Web servers.

Later versions of IIS -- specifically, IIS 7.0 and 7.5 -- are not affected, according
to the advisory. The affected versions of IIS came with Windows 2000 Service Pack 4
(SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2, including both 32-bit and
64-bit editions. Windows 7 and Windows Server 2008 are not affected.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.

Thanks for your registration, follow us on our social networks to keep up-to-date